US12506655B2ActiveUtilityA1

Provisioning control apparatus and method for provisioning electronic components or devices

46
Assignee: SECURE THINGZ LTDPriority: Oct 7, 2021Filed: Oct 7, 2022Granted: Dec 23, 2025
Est. expiryOct 7, 2041(~15.2 yrs left)· nominal 20-yr term from priority
Inventors:Andrew Bott
H04L 9/3234H04L 9/0897H04L 9/0825H04L 9/3263H04L 9/0833H04L 9/3265G06F 21/6245H04W 12/76H04W 12/35H04W 12/0431H04L 2463/062H04L 67/1095G06F 21/72G06F 21/572H04L 41/0806H04L 63/065
46
PatentIndex Score
0
Cited by
9
References
14
Claims

Abstract

A provisioning control apparatus is configured to be coupled to a provisioning equipment server, wherein the provisioning equipment server is electrically connectable with one or more electronic devices for provisioning the electronic devices with security sensitive provisioning data. The provisioning control apparatus includes a processor configured to generate a group context for sharing the group context with a first further provisioning control apparatus for creating a group of provisioning control apparatuses. The group context includes a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and the first further provisioning control apparatus is configured to be coupled to the provisioning equipment server. The processor is configured to generate the security sensitive provisioning data based on the group context. The provisioning control apparatus includes a communication interface configured to provide the security sensitive provisioning data to the provisioning equipment server.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
         1 . A root or parent provisioning control apparatus configured to be coupled to a provisioning equipment server, the provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the electronic devices with security sensitive provisioning data, wherein the root or parent provisioning control apparatus comprises:
 a processor configured to generate a group context for sharing the group context with a first further provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the first further provisioning control apparatus is a child provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and wherein the first further provisioning control apparatus is configured to be coupled to the provisioning equipment server;   wherein the processor is further configured to generate the security sensitive provisioning data based on the group context,   wherein the root or parent provisioning control apparatus further comprises a communication interface configured to provide the security sensitive provisioning data to the provisioning equipment server,   wherein the certificate for the group provate key of the group context chains back to a root certificate of an entity supplying the root or parent provisioning control apparatus and the first further provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding private keys, and   wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys.   
     
     
         2 . The root or parent provisioning control apparatus of  claim 1 , wherein the communication interface is further configured to provide the group context to the first further provisioning control apparatus. 
     
     
         3 . The root or parent provisioning control apparatus of  claim 1 , wherein the one or more OEM keys comprise an OEM certificate. 
     
     
         4 . The root or parent provisioning control apparatus of  claim 1 , wherein the communication interface is further configured to provide the group context to a security server for generating a proxy provisioning control apparatus on the security server, wherein the proxy provisioning control apparatus is configured to provide the group context to a second further provisioning control apparatus for enrolling the second further provisioning control apparatus for the group of provisioning control apparatuses, wherein the second further provisioning control apparatus is configured to be coupled to the provisioning equipment server. 
     
     
         5 . The root or parent provisioning control apparatus of  claim 1 , wherein the processor is further configured to assign an identity to the first further provisioning control apparatus, wherein the identity of the first further provisioning control apparatus is indicative of the root or parent provisioning control apparatus and the first further provisioning control apparatus. 
     
     
         6 . The root or parent provisioning control apparatus of  claim 5 , wherein the processor is further configured to assign an identity to a second further provisioning control apparatus, wherein the identity of the second further provisioning control apparatus is indicative of the root or parent provisioning control apparatus and the second further provisioning control apparatus. 
     
     
         7 . A child provisioning control apparatus configured to be coupled to a provisioning equipment server, the provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the one or more electronic devices with security sensitive provisioning data, wherein the child provisioning control apparatus comprises:
 a communication interface configured to receive a group context from a first further provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the first further provisioning control apparatus is a root or parent provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption; and   a processor configured to generate the security sensitive provisioning data based on the group context,   
       wherein the communication interface is further configured to provide the security sensitive provisioning data to the provisioning equipment server,
 wherein the certificate for the group private key of the group context chains back to a root certificate of an entity supplying the child provisioning control apparatus and the first further provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding provate keys, and 
 wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys. 
 
     
     
         8 . The child provisioning control apparatus of  claim 7 , wherein the one or more OEM keys comprise an OEM certificate. 
     
     
         9 . The child provisioning control apparatus of  claim 7 , wherein the communication interface is further configured to provide the group context to a security server for generating a proxy provisioning control apparatus on the security server, wherein the proxy provisioning control apparatus is configured to provide the group context to a second further provisioning control apparatus for enrolling the second further provisioning control apparatus in the group of provisioning control apparatuses, wherein the second further provisioning control apparatus is configured to be coupled to the provisioning equipment server for provisioning the electronic devices with the security sensitive provisioning data. 
     
     
         10 . The child provisioning control apparatus of  claim 7 , wherein the communication interface is further configured to provide the group context to a second further provisioning control apparatus for enrolling the second further provisioning control apparatus in the group of provisioning control apparatuses, wherein the second further provisioning control apparatus is configured to be coupled to the provisioning equipment server for provisioning the electronic devices with the security sensitive provisioning data. 
     
     
         11 . The child provisioning control apparatus of  claim 10 , wherein the communication interface is further configured to receive an identity from the first further provisioning control apparatus, wherein the identity of the child provisioning control apparatus is indicative of the child provisioning control apparatus and the first further provisioning control apparatus. 
     
     
         12 . The root or parent provisioning control apparatus of  claim 11 , wherein the processor is configured to assign an identity to the second further provisioning control apparatus, wherein the identity of the second further provisioning control apparatus is indicative of the child provisioning control apparatus, the first further provisioning control apparatus and the second further provisioning control apparatus. 
     
     
         13 . A provisioning system comprising:
 a root or parent provisioning control apparatus, which includes:   a processor configured to generate a group context for sharing the group context with a child provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the child provisioning control apparatus is a first further provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and wherein the child provisioning control apparatus is configured to be coupled to the provisioning equipment server;   wherein the processor is further configured to generate the security sensitive provisioning data based on the group context,   wherein the root or parent provisioning control apparatus further comprises a communication interface configured to provide the security sensitive provisioning data to the provisioning equipment server;   wherein the child provisioning control apparatus is according to  claim 8 ; and   a provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the one or more electronic devices with the security sensitive provisioning data,   wherein the certificate for the group private key of the group context chains back to a root certificate of an entity supplying the root or parent provisioning control apparatus and the child provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding private keys, and   wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys.   
     
     
         14 . A method for operating a root or parent provisioning control apparatus configured to be coupled to a provisioning equipment server, the provisioning equipment server being electrically connectable with one or more electronic devices for provisioning the one or more electronic devices with security sensitive provisioning data, wherein the method comprises:
 generating a group context for sharing the group context with a first further provisioning control apparatus for creating a group of provisioning control apparatuses, wherein the first further provisioning control apparatus is a child provisioning control apparatus, wherein the group context comprises a group private key, a certificate for the group private key and a group encryption key used for encryption and/or decryption and wherein the first further provisioning control apparatus is configured to be coupled to provisioning equipment server;   generating the security sensitive provisioning data based on the group context; and   providing the security sensitive provisioning data to the provisioning equipment server,   wherein the certificate for the group private key of the group context chains back to a root certificate of an entity supplying the root or parent provisioning control apparatus and the first further provisioning control apparatus, wherein generating the group context results in a new group certificate chain being created with corresponding private keys, and   wherein the communication interface is further configured to receive one or more wrapped OEM keys from a remote OEM server and wherein the processor is configured to unwrap the one or more wrapped OEM keys based on the group context and to generate the security sensitive provisioning data based on the one or more OEM keys.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.